TYPO3-CORE-SA-2019-012: Possible Arbitrary Code Execution in Image Processing

Categories: Development Created by Oliver Hader
It has been discovered, that TYPO3 CMS is vulnerable to arbitrary code execution.
  • Component Type: TYPO3 CMS
  • Vulnerable subcomponent: Image Processing via ImageMagick (ext:core)
  • Release Date: May 7, 2019
  • Vulnerability Type: Arbitrary Code Execution
  • Affected Versions: 8.0.0-8.7.24 and 9.0.0-9.5.5
  • Severity: High - Critical
  • Suggested CVSS v3.0: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
  • CVE: CVE-2019-11832

Problem Description

Image processing, e.g. for generating thumbnails, is actually delegated to ImageMagick (or GraphicsMagick) for the low-level processing. Whenever ImageMagick is invoked in order to convert data the mime-type of the source is identified for invoking according coders when reading data. In case an attacker manages to upload an image file containing PostScript code it will be executed on the server system when generating according visual previews or thumbnails.

In order to exploit this vulnerability the following aspects must be fulfilled:

  • GhostScript binary gs available on server system
  • ImageMagick policy.xml settings are not strict (see below in next section)
  • either having a valid backend user account having access to filelist module
  • or having some frontend application that allows uploading and previewing files without according file mime-type validation

Solution

Update to TYPO3 versions 8.7.25 or 9.5.6 that fix the problem described.

In general it is suggested to make use of according ImageMagick policy.xml settings in order to disable potential insecure file types. ImageMagick suggests to disable PDF which probably still should be allowed for a content management system - the reason is that ImageMagick uses the GhostScript interpreter in order to convert PostScript and PDF contents which has been vulnerable to buffer overflow. Please read those suggestions provided at https://imagemagick.org/script/security-policy.php

Image processing in TYPO3 has been changed to explicitly require an according image format even if the file contents are e.g. PostScript code - this mitigates the possibility of arbitrary code execution.

The following example shows low-level Image invocation for an arbitrary file that is expected to be PNG. Executing PostScript is disabled using the according png: format prefix.

convert -geometry 200x100 png:malicious.ps.png thumbnail.png

Credits

Thanks to Lauritz Holtmann who reported & analyzed this issue and to TYPO3 security team member Oliver Hader who fixed the issue.

General Advice

Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note

All security related code changes are tagged so that you can easily look them up in our review system.